Got an idea? A vision?

We want to hear it.

Let’s Chat & Make It Happen

…or email us at hello@bluewhaleapps.com and we’ll follow up promptly!

Data Deletion Policy

Version: 7.8.0 | Effective Date: December 1, 2020

  • Document Created: November 14, 2020
  • Last Reviewed: January 30, 2025
  • Next Review Date: January 2026
  • Approved By: Security Officer
  • Policy Owner: Security Officer

9.1 Purpose

This Data Deletion Policy establishes procedures for secure deletion and disposal of data, ensuring proper destruction when no longer needed, protecting against unauthorized recovery, and supporting compliance with regulatory requirements and contractual obligations.

9.2 Scope

Applies to all data stored, processed, or transmitted including customer data, employee records, financial records, intellectual property, system logs, email, backup data, and all storage media types.

9.3 Policy Statements

9.3.1 Data Retention and Deletion

Data retained only as long as necessary based on business needs, legal requirements, contractual obligations, and litigation holds. Retention schedules document data type, retention period, justification, and deletion procedures.

9.3.2 Contract Termination Procedures

Upon contract termination, customer data is deleted within 30 days unless customer requests extension, legal requirements mandate retention, or contract specifies alternative timeline. Customers receive 15 days advance notice with data retrieval opportunity.

9.3.3 Secure Deletion Methods

Blue Whale Apps follows NIST SP 800-88 Guidelines for Media Sanitization:

  • Cryptographic Erasure: For encrypted data, destroy encryption keys rendering data unrecoverable.
  • Data Overwriting: Multiple pass overwriting with random patterns for unencrypted reusable media.
  • Physical Destruction: Hard drive shredding, SSD destruction, incineration for sensitive media, degaussing for magnetic media with certificate of destruction.
  • Cloud Storage Deletion: Deletion through provider APIs, verification across all regions, backup deletion, documentation of confirmation.

9.3.4 Backup and Archive Deletion

When data must be deleted, all backup copies identified and removed. Backups searched for deleted data, relevant sets deleted or sanitized, verification that no copies remain.

9.3.5 Data Subject Rights

Under GDPR and similar regulations, data subjects may request deletion. Requests verified, evaluated for legal exemptions, processed within 30 days, and confirmed to requestor.

9.4 Compliance

Supports NIST SP 800-88, GDPR Article 17, CCPA, HIPAA, SOX, ISO/IEC 27001:2022 (A.8.10, A.8.11).

Read Our Reviews